summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJustin M. Forbes <jforbes@fedoraproject.org>2020-05-12 17:29:14 -0500
committerJustin M. Forbes <jforbes@fedoraproject.org>2020-05-12 17:29:14 -0500
commit5cd9a1b23bbbec24f24fc08fb3d84de6846db72b (patch)
treeecf76adcfbf2972ddce725fa3dd91bce4ccec0e0
parentf7dd9b1fa94493688095850c569b2aa02feb61b5 (diff)
downloadkernel-5cd9a1b23bbbec24f24fc08fb3d84de6846db72b.tar.gz
kernel-5cd9a1b23bbbec24f24fc08fb3d84de6846db72b.tar.xz
kernel-5cd9a1b23bbbec24f24fc08fb3d84de6846db72b.zip
Fix CVE-2020-10711 (rhbz 1825116 1834778)
Signed-off-by: Justin M. Forbes <jforbes@fedoraproject.org>
-rw-r--r--kernel.spec6
-rw-r--r--net-netlabel-cope-with-NULL-catmap.patch95
2 files changed, 101 insertions, 0 deletions
diff --git a/kernel.spec b/kernel.spec
index a987805c2..a89cbc5ab 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -906,6 +906,9 @@ Patch511: e1000e-bump-up-timeout-to-wait-when-ME-un-configure-ULP-mode.patch
Patch512: drm-dp_mst-Fix-drm_dp_send_dpcd_write-return-code.patch
+# CVE-2020-10711 rhbz 1825116 1834778
+Patch513: net-netlabel-cope-with-NULL-catmap.patch
+
# END OF PATCH DEFINITIONS
%endif
@@ -3002,6 +3005,9 @@ fi
#
#
%changelog
+* Tue May 12 2020 Justin M. Forbes <jforbes@fedoraproject.org>
+- Fix CVE-2020-10711 (rhbz 1825116 1834778)
+
* Mon May 11 2020 Justin M. Forbes <jforbes@fedoraproject.org> - 5.6.12-300
- Linux v5.6.12
diff --git a/net-netlabel-cope-with-NULL-catmap.patch b/net-netlabel-cope-with-NULL-catmap.patch
new file mode 100644
index 000000000..06a915121
--- /dev/null
+++ b/net-netlabel-cope-with-NULL-catmap.patch
@@ -0,0 +1,95 @@
+From MAILER-DAEMON Tue May 12 19:31:23 2020
+From: Paolo Abeni <pabeni@redhat.com>
+To: netdev@vger.kernel.org
+Cc: "David S. Miller" <davem@davemloft.net>, Jakub Kicinski <kuba@kernel.org>, linux-security-module@vger.kernel.org, Paul Moore <paul@paul-moore.com>, ppandit@redhat.com, Matthew Sheets <matthew.sheets@gd-ms.com>
+Subject: [PATCH net] netlabel: cope with NULL catmap
+Date: Tue, 12 May 2020 14:43:14 +0200
+Message-Id: <07d99ae197bfdb2964931201db67b6cd0b38db5b.1589276729.git.pabeni@redhat.com>
+Sender: owner-linux-security-module@vger.kernel.org
+List-ID: <linux-security-module.vger.kernel.org>
+MIME-Version: 1.0
+Content-Type: text/plain; charset="utf-8"
+Content-Transfer-Encoding: 7bit
+
+The cipso and calipso code can set the MLS_CAT attribute on
+successful parsing, even if the corresponding catmap has
+not been allocated, as per current configuration and external
+input.
+
+Later, selinux code tries to access the catmap if the MLS_CAT flag
+is present via netlbl_catmap_getlong(). That may cause null ptr
+dereference while processing incoming network traffic.
+
+Address the issue setting the MLS_CAT flag only if the catmap is
+really allocated. Additionally let netlbl_catmap_getlong() cope
+with NULL catmap.
+
+Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.")
+Fixes: 4b8feff251da ("netlabel: fix the horribly broken catmap functions")
+Reported-by: Matthew Sheets <matthew.sheets@gd-ms.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+---
+ net/ipv4/cipso_ipv4.c | 6 ++++--
+ net/ipv6/calipso.c | 3 ++-
+ net/netlabel/netlabel_kapi.c | 6 ++++++
+ 3 files changed, 12 insertions(+), 3 deletions(-)
+
+diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
+index 0bd10a1f477f..a23094b050f8 100644
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -1258,7 +1258,8 @@ static int cipso_v4_parsetag_rbm(const struct cipso_v4_doi *doi_def,
+ return ret_val;
+ }
+
+- secattr->flags |= NETLBL_SECATTR_MLS_CAT;
++ if (secattr->attr.mls.cat)
++ secattr->flags |= NETLBL_SECATTR_MLS_CAT;
+ }
+
+ return 0;
+@@ -1439,7 +1440,8 @@ static int cipso_v4_parsetag_rng(const struct cipso_v4_doi *doi_def,
+ return ret_val;
+ }
+
+- secattr->flags |= NETLBL_SECATTR_MLS_CAT;
++ if (secattr->attr.mls.cat)
++ secattr->flags |= NETLBL_SECATTR_MLS_CAT;
+ }
+
+ return 0;
+diff --git a/net/ipv6/calipso.c b/net/ipv6/calipso.c
+index 221c81f85cbf..8d3f66c310db 100644
+--- a/net/ipv6/calipso.c
++++ b/net/ipv6/calipso.c
+@@ -1047,7 +1047,8 @@ static int calipso_opt_getattr(const unsigned char *calipso,
+ goto getattr_return;
+ }
+
+- secattr->flags |= NETLBL_SECATTR_MLS_CAT;
++ if (secattr->attr.mls.cat)
++ secattr->flags |= NETLBL_SECATTR_MLS_CAT;
+ }
+
+ secattr->type = NETLBL_NLTYPE_CALIPSO;
+diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
+index 409a3ae47ce2..5e1239cef000 100644
+--- a/net/netlabel/netlabel_kapi.c
++++ b/net/netlabel/netlabel_kapi.c
+@@ -734,6 +734,12 @@ int netlbl_catmap_getlong(struct netlbl_lsm_catmap *catmap,
+ if ((off & (BITS_PER_LONG - 1)) != 0)
+ return -EINVAL;
+
++ /* a null catmap is equivalent to an empty one */
++ if (!catmap) {
++ *offset = (u32)-1;
++ return 0;
++ }
++
+ if (off < catmap->startbit) {
+ off = catmap->startbit;
+ *offset = off;
+--
+2.21.3
+
+